ESET Researchers Share Takeaways from Cooperative Investigation of the Linux/Moose Malware Family

First detected by ESET Virus Radar in March 2015, Linux/Moose initially operated as a remotely controlled backdoor targeting Linux based consumer routers. As presented in an ESET whitepaper on the topic in 2015, the malware can also infect other Linux-based embedded systems in its path with compromised devices stealing unencrypted network traffic and offer proxying services to botnet operators.

Over the last year Linux/Moose malware has evolved further. To better understand the changes, GoSecure investigated the social media fraud aspect to shed light on an unknown market they called “The Ego Market”, while ESET researchers focused on technical changes to the Moose variants.

One of the key differences noticed with the new sample was the lack of a command and control (C&C) IP address hardcoded in the malware. In the new version this is given as an encrypted command line argument. This new feature implies that the sample can no longer run without our test machines being compromised by an embedded device spreading the threat in-the-wild in order to retrieve the C&C IP address.

Ultimately, the changes discussed in today’s WLS Blogpost mean that Linux/Moose’s authors have worked hard to stay under the radar.

Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.